FTC Official Highlights FCRA Enforcement as a High Priority

Posted by Mike Nonaka on May 21, 2013

Earlier this month, Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance regarding consumer report accuracy and the FTC’s efforts to improve accuracy through education and enforcement.  Her testimony emphasized the impact that consumer report errors may have on a consumer’s ability to obtain credit or other benefits.  Ms. Mithal also reiterated that “vigorous enforcement” of the Fair Credit Reporting Act is a “high priority” for the agency. 

As described in Ms. Mithal’s testimony, the FTC has enforced many different aspects of the FCRA in the past decade, from imposing a $2.6 million civil money penalty against HireRight for providing employment background screening services without complying with the FCRA to a $2.5 million fine against Asset Acceptance, LLC for furnishing inaccurate information to consumer reporting agencies.  In addition, the FTC recently has sent letters to data broker companies and letters to operators of websites that share consumers’ rental histories with landlords informing the recipients that they may be subject to the FCRA.  

We expect the FTC and CFPB to continue to prioritize FCRA enforcement going forward.

Cyber Theft Bill Introduced by Bipartisan Group of Senators

Posted by Kristen Eichensehr on May 08, 2013

On Tuesday, Senators Carl Levin (D-MI), John McCain (R-AZ), Jay Rockefeller (D-WV), and Tom Coburn (R-OK) introduced the “Deter Cyber Theft Act.”

The Act would require the Director of National Intelligence (“DNI”) to provide relevant congressional committees with an annual report on “foreign economic and industrial espionage in cyberspace.”  The report would require the DNI to identify “foreign countries that engage in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” and “priority foreign countries”—those countries that the DNI “determines engage in the most egregious economic or industrial espionage in cyberspace.”  The bill specifies that the DNI must identify foreign countries pursuant to the Act  if the foreign government “engages in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” or “facilitates, supports, fails to prosecute, or otherwise permits such espionage by” its citizens or residents or entities organized under its laws or subject to its jurisdiction.

Continue Reading

Covington Files Comments on Cybersecurity Incentives

Posted by Kristen Eichensehr on April 30, 2013

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework  of standards, methodologies, and processes for addressing cybersecurity risk.  It also charges the Department of Homeland Security with developing a Critical Infrastructure Cybersecurity Program to promote adoption of the Cybersecurity Framework by critical infrastructure entities.  To facilitate these initiatives, the Executive Order instructs the Secretaries of Homeland Security, Treasury, and Commerce to recommend incentives to promote participation in the Program.   

On March 28, the Department of Commerce, through the Office of the Secretary, NIST, and the National Telecommunications and Information Administration (“NTIA”), issued a Notice of Inquiry regarding “Incentives To Adopt Improved Cybersecurity Practices.”  Yesterday, representatives of Covington & Burling LLP and The Chertoff Group filed comments in response to the Notice of Inquiry.  The comments set out several principles for the Department of Commerce to consider in structuring incentives for participation in the Program.  The comments are based on the professional experience of the representatives and are not offered on behalf of any client of either firm or any other entity.

All of the comments submitted in response to the Notice of Inquiry are available on the NTIA website.

ECPA Reform Bill Sails Through Senate Judiciary Committee

Posted by Kerry Monroe on April 26, 2013

Yesterday, a bill that would reform the Electronic Communications Privacy Act of 1986 ("ECPA") was approved by the Senate Judiciary Committee on a voice vote. Under ECPA, as it currently stands, police need only a subpoena, issued without approval by a judge, to access private e-mails that have already been opened or that are more than 180 days old. Under the reform bill, which was sponsored by Committee Chairman Patrick Leahy (D-Vt.) and Senator Mike Lee (R-Utah), police would have to obtain a search warrant before requiring providers of electronics communications services to provide them access to e-mails and other private online content, including Facebook messages.

Privacy advocates, including public interest organizations and Internet businesses, have long urged Congress to update ECPA to bring it in line with the myriad technological changes that have taken place since its enactment nearly 30 years ago, as well as consumers' evolving expectations of privacy in their electronic communications. A statement by Computer & Communications Industry Association president and CEO Ed Black reflects that widespread position: "This is a long overdue step toward bringing our online privacy laws closer to both our existing Fourth Amendment protections and our reasonable expectations for privacy. . . . Most people don't realize that six-month-old emails have different levels of privacy protection than newer emails." The Internet Association, an organization of prominent Internet businesses including Facebook, Google, and eBay, called the Senate Judiciary Committee's passage of the ECPA reform bill "a significant step in safeguarding the privacy of users' electronically stored content." The passage of the bill through the Judiciary Committee on a voice vote bodes well for its chances of being passed by the full Senate.

Cyber Intelligence Sharing and Protection Act Passes House Intelligence Committee

Posted by Kristen Eichensehr on April 10, 2013

In a vote Wednesday afternoon, the House Permanent Select Committee on Intelligence passed the Cyber Intelligence Sharing and Protection Act (“CISPA”).  Eighteen Representatives voted in favor of the bill, and two--Rep. Adam Schiff (D-CA) and Rep. Jan Schakowsky (D-IL)--voted against.

The Committee adopted amendments that Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) outlined on Monday in response to privacy and other concerns voiced about the bill.  In particular, amendments were adopted to eliminate a provision enabling the government to use shared information for broad “national security purposes,” to require the government to remove personally identifiable information from information shared pursuant to the bill, and to clarify that the bill does not allow companies to “hack back” entities that engage in cyber theft.

The panel did not adopt amendments offered by Representatives Schiff and Schakowsky.  Those amendments would have required private sector entities to remove personally identifiable information before sharing data with the government, limited liability protection available to companies that share information, and required information to be shared first with a civilian agency, rather than the National Security Agency.

Reflections on Legal and Policy Developments in Cybersecurity

Posted by Kristen Eichensehr on April 09, 2013

By David N. Fagan and Kristen E. Eichensehr 

On March 28, our firm hosted an event, co-sponsored with The Chertoff Group, on Legal and Policy Developments in Cybersecurity.  The event featured keynote addresses by former Secretary of Homeland Security Michael Chertoff, now Senior Of Counsel with Covington and founder of The Chertoff Group, and Representative Mike Rogers (R-MI), Chairman of the House Permanent Select Committee on Intelligence (“HPSCI”) and principal sponsor of the Cyber Intelligence Sharing and Protection Act (“CISPA”), which passed the House last year and is expected to be re-introduced and voted upon in HPSCI soon. 

The program also included a panel discussion examining the scope of the cybersecurity threat confronting the government and private sector; how law, regulation, and policy may address the threat; and certain competing policy imperatives, including balancing security and economic considerations.  The panel included three partners at Covington -- David Fagan (who moderated), John Veroneau (international trade), and Robert Nichols (government contracting) -- along with Prescott Winter, Managing Director of the Chertoff Group; James Mulvenon of Defense Group, Inc.; and Scott Aaronson of the Edison Electric Institute. 

As Congress moves toward votes on cybersecurity legislation, we thought it would be timely to offer some reflections on the program and panel discussion.  In particular, while cybersecurity is a topic du jour in Washington and the press, the program sought to dig deeper than the headlines, unpack the complexity of cybersecurity, and explore how the interconnection of systems and the related threats impact various legal, policy, and business considerations.  The following are some observations from the event:

Continue Reading

DOJ Supports Modernization of ECPA

Posted by Jeff Kosseff on March 20, 2013

A Justice Department official told a House panel this week that Congress should modernize the Electronic Communications Privacy Act, a 1986 statute that creates rules governing access by law enforcement and other government agencies to user information stored with Internet communication service providers.

In particular, the Justice Department recognizes that it no longer makes sense to maintain rules in the statute that permit law enforcement to access communications content that is more than 180 days old with a subpoena, while requiring a warrant for more recent communications. 

Continue Reading

Do Not Track Online Act Reintroduced in Senate

Posted by Steve Satterfield on March 06, 2013

By Emily Borgen & Steve Satterfield

Legislation was reintroduced in the Senate last week that would allow Internet users to opt out of certain forms of online tracking.  The bill [PDF] was previously introduced in 2011.

The “Do-Not-Track Online Act of 2013,” introduced on February 27 by Senators Rockefeller (D-W.Va.) and Blumenthal (D-Conn.), would require the Federal Trade Commission to create rules for the implementation of a mechanism that would enable an individual to “simply and easily indicate whether [the] individual prefers to have personal information collected by providers of online services” -- in other words, a "Do Not Track" mechanism.  The FTC rules, which would generally prohibit collecting information from users who have opted out of such collection, would be enforced by the FTC and state attorneys general.

The bill contains two exceptions that would permit entities to collect and use information collected online from users who have enabled the do not track mechanism.  First, entities would be permitted to collect information necessary to the “basic functionality and effectiveness” of a requested service, so long as the information is anonymized or deleted after the provision of the service.  Second, the bill would permit entities to request that users opt-in to collection and use of their information; in other words, entities would be permitted to collect information from users who opt in regardless of whether those users had enabled the Do Not Track mechanism.

The timing of the bill’s reintroduction is significant for at least two reasons.  First, this month marks one year since the release of the FTC’s report in which the FTC urged industry to create a do not track mechanism.  In statements made around the time of the report’s release, FTC commissioners suggested that the agency might support Do Not Track legislation if industry did not establish such a mechanism on its own.  Second, just last month, reports emerged that the principal effort at developing an industry-based Do Not Track mechanism -- the W3C’s Tracking Protection Working Group -- was beginning to make substantial progress in finalizing its specifications.  Additional progress by this group could affect further calls for legislation.

President Obama Issues Cybersecurity Executive Order

Posted by Kristen Eichensehr on February 14, 2013

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading

Bill Would Set Federal Restrictions on Employer, School Access to Personal Online Accounts

Posted by Michael Beder on February 08, 2013

A bill reintroduced in the U.S. House of Representatives on Wednesday would prohibit employers and schools from requesting or demanding access to employees’ or students’ personal social-media accounts.

The bill, titled the “Social Networking Online Protection Act,” would bar employers from requesting or requiring that employees or job applicants provide the employer access to personal e-mail or social-networking accounts.  The bill also would bar employers from firing or otherwise retaliating against an employee or applicant for refusing or complaining about such a request. Violations would carry a civil penalty of up to $10,000, and the bill would authorize the Secretary of Labor to seek an injunction against practices that violate the law.

The bill would establish similar protections for students or applicants at colleges and K-12 schools receiving federal funds. 

Continue Reading

FTC and Senate Commerce Committee Staffers Suggest Cautious Approach to "Big Data"

Posted by Libbie Canter on January 22, 2013

Yesterday, industry and government panelists participated in a conference sponsored by the Congressional Internet Caucus Advisory Committee that included a panel discussion on “Plumbing the Policy Implications of Data Analytics and Defining Big Data,” The Year’s Most Overused Term.” 

According to press reports, Federal Trade Commission Senior Policy Adviser and panelist Paul Ohm acknowledged that big data may have potential benefits to public health and research, but also noted that the benefits of big data “tend to get overblown.”  Mr. Ohm stated that, “when there is an expense to privacy, I think we should have discussions about whether the benefits [of big data] outweigh the costs.” 

Erik Jones, Deputy General Counsel of the Senate Commerce Committee, told participants that the Committee is investigating the collection of big data for use by companies to market to consumers.  He pointed specifically to last year’s inquiry by Commerce Committee Chairman, John D. Rockefeller IV (D-WV) into the activities of nine data brokers.  According to press reports, Mr. Jones stated that the Committee is “not suggesting that there’s something inherently wrong” with the use of big data for marketing purposes, but indicated that the Committee wants to learn more about what information is being collected and how that information is used.

Mr. Ohm also expressed concern generally about whether supposedly anonymous data can be linked to real people in a world of “big data.” 

Continue Reading

Rep. Johnson Releases Discussion Draft of Mobile App Privacy Bill Following NTIA's 8th Meeting Concerning a Voluntary Code of Conduct

Posted by Kristi Cercone on January 18, 2013

On Friday, Rep. Hank Johnson (D-Ga.) released a discussion draft of a bill for mobile privacy. Named the Application Privacy, Protection and Security Act of 2013 (“APPS Act”), the bill would obligate app developers to disclose to users the terms and conditions around the collection, use, storage, and sharing of user data. Additionally, the bill would require apps to allow users to opt out of the service and delete personal data collected by the app. The Federal Trade Commission would head enforcement and state attorneys general could bring suits against those who violate the regulations promulgated by the FTC.

 In drafting the bill, Johnson and his Web-based initiative, AppRights, held meetings with members of the Internet community, public-interest groups, app developers, and other industry stakeholders. AppRights stated: “Over the coming days, we will release helpful clarifications of the updated provisions of the APPS Act so that everyone is on the same page." It is not yet clear when the bill will be introduced to Congress as possible legislation.

Continue Reading

Foreign and Economic Espionage Penalty Enhancement Act of 2012 Signed Into Law

Posted by Kristen Eichensehr on January 18, 2013

In an effort to stem the tide of intellectual property theft from U.S. companies, on January 14, 2013, President Obama signed H.R. 6029, the Foreign and Economic Espionage Penalty Enhancement Act of 2012.

The Act increases the penalties for trade secret theft under the Economic Espionage Act of 1996 for crimes that the perpetrator knows or intends to benefit a foreign government, instrumentality or agent.  The Economic Espionage Act had prescribed fines of not more than $500,000 for individuals and not more than $10 million for organizations (18 U.S.C. § 1831).  The new Act increases those fines to not more than $5 million for individuals and “not more than the greater of $10,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided” for organizations.  Section 3 of the new Act also directs the United States Sentencing Commission to review and “if appropriate” increase the penalties provided by the Federal Sentencing Guidelines for economic espionage or trade secret theft “relating to the transmission or attempted transmission of a stolen trade secret outside of the United States” to “reflect the seriousness of these offenses, account for the potential and actual harm caused by these offenses, and provide adequate deterrence against such offenses.”

A House Report on the bill explains that “[b]y strengthening penalties and enhancing criminal deterrence, the bill protects U.S. jobs and technologies while promoting investments and innovation.”  The report cites an October 2011 report by the National Counterintelligence Executive, statements by Director of National Intelligence James R. Clapper, and data from the FBI to emphasize the state-sponsored nature of many instances of trade secret theft and the magnitude of information stolen from U.S. companies.  The legislation builds on proposals from the Obama Administration’s March 2011 White Paper on Intellectual Property Enforcement Legislative Recommendations.  Although partisan discord has surrounded other legislative efforts to address cybersecurity, the Foreign and Economic Espionage Penalty Enhancement Act passed the Senate by unanimous consent and passed the House by a voice vote.

The Video Privacy Protection Act Amendments: A Final Analysis

Posted by Steve Satterfield on January 11, 2013

Yesterday, President Obama signed into law the “Video Privacy Protection Act Amendments Act of 2012,” a law that amends the VPPA’s notoriously vague consent provision.  As originally enacted, the VPPA allowed “video tape service providers” to disclose consumers’ “personally identifiable information” (including their video viewing histories) with a consumer’s consent only if that consent were “informed, written . . . [and] given at the time the disclosure [was] sought.”  Even in the brick-and-mortar world of 1988 (when the VPPA was passed), this consent provision was confusing.  What did it mean to provide consent “at the time the disclosure [was] sought”?  “Sought” by whom (the video tape service provider, the consumer or a third party)?  Could a consumer authorize a disclosure in advance of its occurrence? 

The application of the consent provision has become even more vexed over time, as video distribution has changed radically.  Some have argued that the VPPA is broad enough to govern the disclosure of video viewing activities online, and so online video service providers have grown increasingly interested in this once-obscure statute.  Late last year, Congress acted to help clarify the consent issue.

After the jump, we provide our final analysis of the amendments. 

Continue Reading

Senate Passes VPPA Amendment; Bill Heads to President Obama

Posted by Steve Satterfield on December 21, 2012

Last night, the Senate passed an amendment to the Video Privacy Protection Act, 18 U.S.C. § 2710, designed to make it easier for users to share their online video viewing activities.   (We’ve discussed the amendment’s content here and here.)  President Obama is expected to sign the bill into law. 

Netflix, the most prominent backer of the bill, released a statement applauding Congress’s quick action on the measure.  According to CNET, the video provider now plans to introduce social features for its U.S. members in 2013. 

House Passes Updated VPPA Amendment

Posted by Steve Satterfield on December 18, 2012

Continuing the flurry of activity around privacy legislation that we have seen over the past few weeks, the House today passed an amendment to the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710.  The bill would amend the VPPA by clarifying that a consumer may consent to the disclosure of her video viewing information “though an electronic means using the Internet” (e.g., by clicking a button or ticking a box) and that such consent can be provided in advance of a disclosure and continue for a set period of time or until the consumer withdraws her consent.   

The House passed a similar bill, H.R. 2471, in December of 2011.  As we’ve previously noted, Senator Leahy created a substitute amendment for H.R. 2471 that included amendments to the Electronic Communications Privacy Act, and several minor modifications to the VPPA portion.  The substitute amendment passed the Senate Judiciary Committee in late November.  The bill passed today, H.R. 6671, contains the same VPPA language as the Senate version, but does not include the ECPA amendments proposed by Sen. Leahy. 

H.R. 6671 will now head back to the Senate, where, The Hill reports, it could be considered in the coming weeks. 

FTC Announces Amended Rule on Identity Theft "Red Flags"

Posted by Kristi Cercone on December 04, 2012

On Friday, November 30, the Federal Trade Commission (FTC) issued an Interim Final Rule to amend its Red Flags Rule, which requires certain financial institutions and creditors to establish programs to detect, prevent and mitigate identity theft in connection with consumer accounts.  The Interim Final Rule narrows the definition of “creditor” in response to legislation passed by Congress in December 2010 (as covered in previous blog posts), excluding from the definition most doctors, lawyers, and other professionals who do not receive full payment at the time their service is furnished.  The rule is effective on February 11, 2013, and the FTC is seeking comments on the rule until that time.     

The Interim Final Rule narrows the circumstances under which creditors are covered by the Rule in an attempt to be consistent with Congress’s legislation. The amended Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly: (1) obtains or uses consumer reports in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person (except for a creditor who advances funds on behalf of the person for expenses incidental to a service provided by the creditor to that person).   

Under the Rule, covered entities’ Red Flag programs must: (1) include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business; (2) be designed to detect the red flags of identity theft known to the business; (3) set out the actions the business will take upon detecting red flags; and (4) re-evaluate its program periodically to reflect new risks.

Senate Judiciary Committee Passes Amendment to ECPA, VPPA

Posted by Steve Satterfield on November 29, 2012

Today, the Senate Judiciary Committee passed the much-discussed update to the Electronic Communications Privacy Act of 1986 and the Video Privacy Protection of 1988 ("VPPA").  The Committee adopted Senator Leahy's manager's amendment (which we discussed here), with a minor modification proposed by Senators Cornyn and Lee. 

Senator Feinstein also offered an amendment to the VPPA portion of the bill.  In its original form, the bill provided that a consumer could consent to the disclosure of her video viewing information to a third party "in advance for a set period of time or until consent is withdrawn by the consumer." Under Feinstein's amendment , which the Committee adopted, the "set period of time" for which a person may provide consent would be limited to one year.  Feinstein noted that her office had been in contact with Netflix about the amendment.    

Senator Leahy acknowledged that no further action would be taken on the bill in this Congress.  But he pledged to work with new House Judiciary Committee Chair Bob Goodlatte on ECPA and VPPA reform in the next Congress. 

Upton Will Continue To Chair Energy & Commerce Committee; Announces Terry Will Take Over Chairmanship of Key Subcommittee For Privacy

Posted by Libbie Canter on November 28, 2012

Earlier today, Rep. Fred Upton (R-MI) was selected by his colleagues to continue to serve as Chairman of the U.S. House Committee on Energy and Commerce, the key House committee with jurisdiction over the Federal Trade Commission and the Federal Communications Commission.  In addition, Rep. Upton announced that Rep. Lee Terry (R-NE) will take over the chairmanship of the Commerce, Manufacturing, and Trade Subcommittee, which is a key subcommittee for privacy, data security, and consumer protection.  Rep. Mary Bono Mack (R-CA), who presently serves in that role, was defeated in her reelection effort earlier this month.  

During this past session of Congress, Rep. Mack introduced data security legislation and held a number of hearings on privacy and data security topics, including hearings on consumer privacy expectations, children’s and teen privacy issues, and the impact and burden of EU privacy regulation.  Rep. Terry previously served as Vice Chair of the full Committee and has been an active member of the Communications and Technology Subcommittee.

Continue Reading

Committee Vote on ECPA, VPPA Amendment Scheduled for Thursday

Posted by Steve Satterfield on November 27, 2012

On Thursday, the Senate Judiciary Committee reportedly will vote on Sen. Patrick Leahy’s bill that would amend the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA).  The bill would amend the VPPA by clarifying that a consumer may consent to the disclosure of her video viewing information “though an electronic means using the Internet” (e.g., by clicking a button or ticking a box) and that such consent can be provided in advance of a disclosure and continue for a set period of time or until the consumer withdraws her consent.  The amendments to ECPA would, among other things, eliminate the archaic distinctions in the current statute between the legal protections for (1) communications held by “remote computing services” and those held by “electronic communications services” (“ECS”) and (2) for communications stored by an ECS for longer than 180 days and those held for shorter period of time.

Although reports emerged last week that, in response to concerns from law enforcement, Leahy had scaled back the bill’s protections for stored electronic communications, the manager’s amendment released yesterday by Leahy’s office shows only minor modifications to the bill he introduced earlier this year.  The modifications (which are summarized here) mainly concern the time within which the government must notify an individual that the government has obtained the individual’s communications from a third-party provider, when such notice is required by ECPA. 

These changes to the original bill are intended to address concerns raised by law enforcement that the amendments could impede investigations of criminal activity.  However, reports suggest that even the revised bill still may face law enforcement opposition. 

Older Posts